LOW: Auto-generated encryption key stored in same SQLite database as encrypted data #85

Closed
opened 2026-05-31 12:04:17 -05:00 by null · 1 comment
Owner

Bug Description

When TOKEN_ENCRYPTION_KEY env var is not set, encryptionService.js auto-generates a random key and stores it in the user_settings table (_auto_encryption_key). This means the encryption key and the encrypted data (data_sources.encrypted_secret) are in the same SQLite file.

An attacker with database access gets both the key and the ciphertext.

Impact

Acceptable for the current threat model (filesystem access = game over regardless). But worth documenting for deployment documentation.

Document in deployment guide that TOKEN_ENCRYPTION_KEY should be set as an environment variable in production. Consider logging a warning when the auto-generated key is used.

## Bug Description When TOKEN_ENCRYPTION_KEY env var is not set, encryptionService.js auto-generates a random key and stores it in the user_settings table (_auto_encryption_key). This means the encryption key and the encrypted data (data_sources.encrypted_secret) are in the same SQLite file. An attacker with database access gets both the key and the ciphertext. ## Impact Acceptable for the current threat model (filesystem access = game over regardless). But worth documenting for deployment documentation. ## Recommended Fix Document in deployment guide that TOKEN_ENCRYPTION_KEY should be set as an environment variable in production. Consider logging a warning when the auto-generated key is used.
null added the
backend
priority:low
labels 2026-05-31 12:04:17 -05:00
Author
Owner

closed v0.35.0

closed v0.35.0
null closed this issue 2026-05-31 15:36:21 -05:00
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/BillTracker#85
No description provided.